You Don't Own What You Buy, Part 15,332: Cisco Forces Questionable New Firmware On Routers

from the not-cool dept

One of the things that we keep learning in a connected, digital age, is that what you think you "bought" you often don't really own. Companies who sell you products seem to feel a certain freedom to unilaterally change the terms of your purchase, after the fact. I'm reminded of Sony removing key features on the PS3, though there are plenty of other examples. A new one is the story of Cisco, pushing out a firmware update to routers without customer approval and (even worse) having that firmware update block people from logging in directly to their own routers. Apparently, if you don't like it... er... too bad.

Cisco has started automatically pushing the company's new "Cloud Connect" firmware update to consumer routers -- without customer approval. Annoyed users note that the update won't let consumers directly log into their routers anymore -- they have to register for a new Cloud Connect account. The only way to revert to directly accessing the device you paid for? You have to unplug it from the Internet.

Oh, and registering for such an account means you have to agree to give up your data so that Cisco can sell it. As per the terms:

...we may keep track of certain information related to your use of the Service, including but not limited to the status and health of your network and networked products; which apps relating to the Service you are using; which features you are using within the Service infrastructure; network traffic (e.g., megabytes per hour); Internet history; how frequently you encounter errors on the Service system and other related information ("Other Information"). We use this Other Information to help us quickly and efficiently respond to inquiries and requests, and to enhance or administer our overall Service for our customers.

We may also use this Other Information for traffic analysis (for example, determining when the most customers are using the Service) and to determine which features within the Service are most or least effective or useful to you. In addition, we may periodically transmit system information to our servers in order to optimize your overall experience with the Service. We may share aggregated and anonymous user experience information with service providers, contractors or other third parties...

Seems like a good way to drive people into buying routers from other companies. I can see how a "cloud service" could have value, but it should be presented to users as a choice, where the actual benefit to them (if there is one) is clearly presented. Instead, this rollout seems designed solely to benefit Cisco and its partners, rather than the people who bought (or so they thought) their routers.

Re:

This was actually an on-the-box feature, from what I've read, that these routers would receive a free upgrade to the new "Cloud Connect" firmware when it was available. So it seems right that they would receive it.

"The new Linksys EA4500, EA3500, and EA2700 routers are available now and cost $199, $139, and $99, respectively. Cisco promises that a full range of its cloud-enabled services will be available by June."

Re: Re: Re:

Re: Re: Re: Re:

That or Tomato. I haven't seen a new stable build of dd-wrt in a while. When I upgraded (laterally moved?) from a Linksys WRT610N to a Linksys E3000, I installed a modified build of TomatoUSB on day one after spending the previous week researching the various custom firmwares available. I may be in the minority but, I still liked Linksys' hardware but both my future purchases and my recommendations for others will probably be Netgear for a while because of this one.

Re: Re:

That'll do a load of good, since its rare that regular users login to their router - except when their internet connection is down.

Haha too true. So to check my public side connection I'll have to go to my neighbors', use their Internet connection to find my password, and sneaker-net it back to my house. All while keeping my cable co. support representative on hold.

Re: Eh.

this is what happens when companies are allowed, via stupid decisions from ignorant judges, to change the terms and conditions of an item, after it has been purchased and when those changes are forced on to buyers with no choice other than the one the company wants, save using a different item, which is usually not an option because the particular service wont work. good choice Cisco and many tnx!!

Re:

"because the particular service wont work"

Really? You can only use your net connection with a Cisco router? While I of course think this is a shit move on their part, the customer does have all the freedom in the world to take them to Small Claims court and to switch to a different router. This would be a different matter entirely if this were the ISP doing this.

Re: Re: Re:

ATT can 'require' certain routers all they want. Any router will still work with any of their modem only options. I've been doing residential DSL installations in my area for nearly as long as DSL has been available. I have yet to see a router that won't work for ATT DSL. They just won't help you set it up.

Re: Re: Re:

Once the DSL signal is past the telco or cableco dataset it's none of their damn business what you hook up to it, They just won't support it at their help line.

ISP's will and do provide wireless router or router/dataset combinations that they've rebranded mostly ATT and 2Wire. They get to share the "sale" with ATT and 2Wire when they do that. I have no idea if 2Wire is as bad as it was when it first appeared but until I found out I will never, ever, have one.

Sad, you know. Cisco gear, till this, used to be a bit old fashioned and crotchety but it ran forever. Oh, the price of progress.

Re: Re: Re: Re:

I've had AT&T DSL for about a decade now. With a more modern 2Wire router being given to us when we cancelled then signed up for DSL services again about 6 years ago. The first router was, in my opinion, great. Minimal hassle to setup and secure. AT&T wanted to charge me $200 to have a tech come to my home and do it, I laughed and told them no thanks. Did it myself in under a minute. When it broke (about a year ago), the rep on the line was nice enough to send out a replacement for free (despite stating that AT&T's current policy, about a year ago was that a customer had to pay to replace the router and it would've been like $100-150). Since then no problems.

Although recently, we had a random out of nowhere thunderstorm (WITH HUGE HAIL, which is rare for South Texas) and I lost service for a day. When it came back, somewhat, I couldn't connect and when I called they tried to blame me (an IT guy) for not setting it up right or doing something I shouldn't be doing and a ton of other excuses/stuff they said was my fault. I told them that since my neighborhood first got DSL service they had always been at fault for our problems. Laying the lines and then just tossing almost no dirt on them, which led to them being cut by someone's lawnmower. Burying the line in the ditch that until two years ago had no out (so when it flooded, it would fill and take out the neighborhood's service until it was drained by the city and had time to dry) and so on. I then hung up on them and reconnected my router and it worked, with a catch. Now I had to set it up from scratch (not the router but my service) and AT&T installed a ton of crapware on my laptop just to get my connection going again (all settings preserved from before). I just uninstalled it all and have been good to go since.

Out of all the routers I've setup in my life, 2Wire has always been the easiest to setup/use. With Linksys acting up a lot, but only if used in conunction with older (pre-2Wire) AT&T DSL routers. Cisco I usually recommend as it's mostly hookup and you're set (if you run the disc, which many people forget to do). Recently I've tried out the Amped products (for work) and have been more than pleased with those, the range is insane. But they are kind of pricey (as in $120+ for pretty much all their products).

Re: Re: (...not sure they have routing capabilities).

Having recently had to purchase a replacement wireless router, let me just say how happy I am not to have bought one of Cisco's.
Looks like they'd prefer me to continue not giving them money in the future as well! I hope that works out for them.

I hate how "connected" everything is today

I love my smartphone, tablet and computers as much as anyone. I have Facebook, Google+ and twitter accounts. But I am growing more and more leery of all the connectedness. I don't need my router spying on me, I don't need my thermostat spying on me, I don't need my refrigerator spying on me and I don't need my phone, Facebook, Google or anyone else spying on me. I know we give up something to use these services but things are getting out of hand and only getting worse.

How long before there is a revolution of people cutting the cord from all devices, not just their cable?

Exploitable Back Door?

I realize that Cisco is probably one of the better companies as far as securing a back door like this from hackers, but theoretically, what if someone did manage to figure out how to exploit this to load their own custom firmware onto these devices? Given the possibilities, I can't imagine that there are not a lot of disreputable folks seeking to do just that.

BTW, thanks Cisco for increasing my workload on an already busy week. I also doubt that the MSP I work for is ever going to buy another Linksys/Cisco router for the four dozen small businesses we manage moving forward. Just a flash in the pan, I'm sure, but how many other IT management companies are going to feel the same way?

I bet they won't pay for my bandwidth overages either.

I need a new router. My old Linksys is starting to be a little flaky. So, now, I will be going with re-purposing an old computer to pfSense. I had already started looking into how to set up a USB boot version of pfSense (and it can be done). So now, it will move up in priority. It used to be that Linksys had the most feature full routers and switches for the best price. They seriously started going downhill when the C-word company bought them. That C-word company seems to have taken the the worst of the corporate force-it-down-your-throat mentality and applied to consumers who have a choice to go elsewhere. From now on, my little piece of the world will receive recommendations to buy anything but C**** routers and switches so that they don't have their private info sold to the world. Having my network data monitored, collected and aggregated just doesn't do anything for me. If nothing else, it will use up my bandwidth to send it to them. In another one of those f***ing corporate money grabs, Comcast now has bandwidth caps. If my usage goes over I get charged more (and I'm betting that C**** won't repay me for the usage overages that they caused). I already block access to as many ad sites as I can, but I need to get to the router site for debugging issues. I guess I'm glad I ordered a TRENDNet gigabit switch now (24 port $109.00) for my house (and yes, I really do need a 24 port switch at home). I used to only buy Linksys. Now, they will be the only entry on my "don't buy from them" list.

The day will soon come when this is the standard:

Welcome to the "Always On" router. If your internet connection is down or our DRM servers are down, and your router is unable to validate that you are an "authorized licensed user" of our firmware product, your router hardware will stop working. Any business/local/home intranet communication functionality will cease to operate until the router can be reestablish a DRM authorization so you can use the hardware that you already paid for.

Or, if we decide to no longer support your particular router model, you will also lose all functionality. In that case you will need to buy a new router.

Worth their salt?

Anyone buying tech equipment should know to stay away from "consumer" products if they expect some amount of control over what they buy. I personally own a CISCO 1900 series and 2700 series route and switch. Sure it's way more then what I need to run 10 devices in a networked home. But I don't have to worry about this crap.

Do they have RIAA/MPAA approved filtering software so they can tell when any traffic includes copyrighted material? Then Subpoena Cloud(tm) can auto-fill the IP address and serve you through the router!

So long Cisco, you just couldn't resist, could ya?

Ever since the early 90s, when I became involved with network support in my day-jobs, I'd always bought/recommended/wrote PRs for Cisco equipment. Now I'm semi-retired, doing part-time consulting for small businesses/home users. Until this, I had always recommended Cisco/Linksys for home users, and Cisco's small business Integrated Networking routers/firewall products for small business. This stops NOW.. Yes, I realize I'm only one.. But if you stop and think about how many "me's" there are in tech-dom, who do EXACTLY the same things I do, and are just as fed up with this kind of b.s. activity by corporations, you'll see that "recommender backlash" has a VERY good chance of putting a severe dent into Ciscos bottom line. Once a company has lost its credibility, its close to impossible to get it back, ESPECIALLY with tech companies who, even though they probably won't admit it, rely on recommendations by knowledgable techies who just happen to have LONG memories... Like maybe SONY?? Real stupid, Cisco, for you to emulate Sony...

Let em know

usually I would rejoyce you for it !

What was your plan ?
Subscriptions to spam or the box filled up to auto deletion ?
Cause you do know.... Cisco don't give a shit about PR ? (like Carreon)
An angry email will do fuck all to change them.
Unfortunately......
Even subscriptions or filling the email box will likely fail.(it's Cisco)They did screw over EVERY single Chinese internet user.

Interesting fact: There are way moaar internet users in China, than there are people in the U.S.A

Got to try

Maybe I have completely lost faith in humanity.
I mean...I really can't see Cisco giving a shit.
You can, and that's great, at least you are trying.(unlike me)
Honestly, I hope you are right and I am wrong.

But please don't let my opinion take away from your valued contribution.
If you are right, Cisco might listen and change, for the better of humanity.

Re: Got to try

Good luck. They're only doing what everyone else in the business is doing which is downloading and implementing software and firmware upgrades to save you time and money. You know the line. "For you own good".

Ditto with this one.

The tone of Cisco's posting is one of a PR department caught with its pants down and with no way out of what's already happened. BUT I'd say that the that this "press release" posting changes the terms and conditions statement that they can share everything but the pictures you take of yourself in the shower to that they can't share a bloody thing. Not that it will change anything. But I'd be sure to let Cisco know via email that you keep a copy of that that's your interpretation now if you chose and keep it.
Bloody hell!

buy a loophole.

no "seems" about it...
Trust your instinct, you are 100% correct.
It's who they are selling the intercepted data to, that is the real question.
Could be Obama, could be the banks, could be the oil companies, anyone who can gain something from spying on you.

Corporate governments are great for non-human people.
Who cares if Cisco spy on people, they paid the politicians already.

What I don't understand...

I just replaced two WAPs in my home, and intentionally avoided Cisco because of this.

What I don't understand, though, is what benefit comes from this functionality? Easy remote administration of these routers has been possible out of the box for many years without involving a third-party server, so that's not the benefit.

If you have so many of these things that you need a central server to manage them all conveniently, then what you have isn't a consumer installation at all -- it's an enterprise deployment, and these devices aren't meant for you and won't make your life easier, so that can't be the benefit.

As near as I can see, this cloud router stuff brings no benefit at all, let alone enough to outweigh the drawback.

I also can't for the life of me figure out what their target market is, unless it's people who are dumb enough to think that "cloud" always means better.

It's not Cisco's (firmware developer) fault on this one.

The CCC (Commanding Corporate Crony) Aka the CEO's fault. from what I've been hearing on the grapevine, the firmware developers fought against the "Cisco Cloud" BS for years. unfortunately (yet again) the higher-ups overruled them.

Re: It's not Cisco's (firmware developer) fault on this one.

Not sure what your point is here. Even if it's 100% because of the CEO, that doesn't make it any less Cisco's fault. In fact, it makes it more so because it indicates it's a conscious move taken despite warnings from those insiders who know better.

Cisco must have a drive-thru....cause they F*CK you at the drive-thru!

Isn't Cisco the one that also starts the clock on your 90 day "support agreement" the day they sell the unit to the big box store and if the 90 day period expires even before you purchase the unit.....oh well?

This is spyware

If attackers/abusers had done this, they'd be blacklisted by now and there would be calls for legal action against them. Cisco -- in the most cowardly fashion imaginable -- is hiding behind obscure legalese to justify hijacking users' property and turning it into an intelligence gathering operation designed to harvest user data for sale to unknown third parties. This is absolutely despicable behavior.

And it's a very good reason for replacing your firmware with open-source software -- which isn't perfect, of course, but at least gives you some assurance that YOUR hardware won't be silently manipulated by a corporation that cares nothing for your privacy, your network integrity, or your operation.

Now here's the question: how long until Cisco pushes this spyware onto enterprise routers? C'mon, it has to be obvious to everyone that they want to: the only question is how and when they're going to try to pull it off.

Cisco as IP police?

I like how the "Cisco Connect Cloud Terms of Service" just happens to include
"As a condition of your use of the Service, you agree that your use of the Service in accordance with the terms and conditions of this Agreement is permitted under and will comply with the applicable laws of the country where you use the Service. You agree not to use or permit the use of the Service:... (iii) to infringe another's rights, including but not limited to any intellectual property rights... (vi) to violate, or encourage any conduct that would violate any applicable law or regulation or give rise to civil or criminal liability."
followed by
"While we are not responsible for any content or data that you choose to access or otherwise use in connection with the Service, we reserve the right to take such action as we (i) deem necessary or (ii) are otherwise required to take by a third party or court of competent jurisdiction, in each case in relation to your access or use or misuse of such content or data. Such action may include, without limitation, discontinuing your use of the Service immediately without prior notice to you, and without refund or compensation to you."
Add to this the line from Cisco Cloud Connect Privacy Supplement
"Cisco may collect and store detailed information regarding your network configuration and usage"
and we have a nice way of taking people offline for potential IP infringement.

Re: No but this letter might get something from them.

It isn't immediately obvious because these things get written by lawyers but I'll bet dollars to donuts that what they're talking about is storing so called infringing material in their cloud. The same applies to the criminal and civil liability clause. Both are more popularly known as CYA.

The role of collecting configuration data is for support as is usage to a small extent. Though it would be nice if they actually got off their butt and said that. From some 35 years of supporting telco data and voice stuff it it was always better to know configuration of gear than not so that I could get in the back door and have a look because some 80% of the time a trouble call on a key system or switchboard was some change the customer made that caused the problem. For data that's closer to 100%.

Anyway, here's nice sample email:
Dear Cisco,
I feel your pain at swallowing both legs up to your hips but can you imagine mine at not being able to log into my router now. Not to mention some of the bad wording in the Terms and Conditions of Use that seemed to leave me wide open to you sharing everything about me with the world.
I appreciate the clarification on your blog at:http://blogs.cisco.com/home/answering-our-customers-questions-about-cisco-connect-cloud/
that cleared up some of my concerns however you may be assured that from this point forward I will no longer use Cisco devices in my home or recommend them for any other home or small business. You have lost the good will that you've built up over 30 years with me and a number of others who I've spoken with and we all agree that no matter the technical advantages of your routers we can no longer use or recommend a router whose maker chooses to treat its customers and users in such a cavalier manner.

Attached is my receipt for my router and plug ins for each of my computing devices including smartphones and I expect a cheque in return as a full refund as the router and all Linksys devices in my home will be put in recycle in an unusable condition to prevent anyone else from suffering through this.

I've had it with all the spying. Used to think Cisco was fairly good stuff. Hearing this here, makes sure I will never again be a customer of Cisco. Simply, my money is a vote for what I believe in, product or company-wise. I spend it that way too.

Cisco has reached the list of 'never buy' products. At this point they will have to show me something else that really means something. Taking down a paragraph or two with plans to possibility re-instated it later, tells me all I need to know. Since people often refer to me on equipment and products to buy, I promise Cisco will feel the pinch from more than just one.

Because the Feds Said

The is in preparation for the new NSA Spy center being built in Utah.
The Government needs to have these type of systems in place and the Furor subsided by the time they're open for business...Just Sayin.